Encryption is the first line of defense for data accessed through publicly accessible web applications. That’s why it’s so important to validate that your public web applications are configured as securely as possible when it comes to SSL and TLS. The good news is that Qualys SSL Labs offers a free, easy to use web-based tool that tests public web servers for SSL, TLS and PKI configuration issues. The service has been around since 2009 and continues to quickly incorporate checks for known vulnerabilities like Heartbleed. Chances are that your customers are using similar tools to perform non-intrusive checks against …

Effectively managing local admin passwords across hosts is a common challenge for IT Departments. This drives the reuse of passwords across hosts and makes local admin passwords a highly valued target for attackers to use in attacks like Pass-the-Hash (PtH). This can lead to privilege escalation and access to higher valued assets in the domain. The good news is that Microsoft offers a free, easy to deploy solution that simplifies the management of local admin passwords across domain joined computers. LAPS is built on Active Directory infrastructure so there’s no need for third-party applications. The agent is a Group Policy …

The General Data Protection Regulation (GDPR) continues to be a major source of concern for IT staff across the US. It’s pushing these IT organizations outside their relative comfort zones and forcing them to adopt higher security standards. This includes many common sense best practices. Being found in non-compliance means paying dissuasively large penalties which could cripple SMBs. Organization’s with security programs that include information security audits and ongoing security program development will have a solid foundation of policies, controls and practices to build upon. For those still working towards GDPR compliance, there are some free tools and services that can be very helpful. Don’t get …

Picture this: A meeting is called to review a deal the Sales team has been chasing for over a year. You are a Software-as-a-Service or SaaS provider, the deal is over $500K annual recurring revenue and have a 5-year contract. Needless to say, you really want to win. It’s down to your company and your number one competitor. In that meeting, the first question from CEO is, “How do we win this?” The SVP of Sales responses, “We’re well positioned, our coach says it’s ours to lose the only thing left is the Information Security review”. All eyes turn to …

As a CTO with too many years of experience to want to count, I’m often attracted to the next opportunity because my new company is looking to build a product that addresses a compelling problem. For example, I’m currently working on a “next generation” product to leverage voice recognition, mobile devices, smart watches and smart glasses in warehouses and distribution centers. A pattern that has repeated itself in my career is that I come into a new role exciting to attack this “new problem”, and then reality sets in. Among these realities is, how are we going to protect our …

I was a Chief Information Security Officer. Not a virtual one. A human one. My name is Chris Williams. I’m a founder and Managing Partner at Perpetually Geek. My passion for information security grew out of necessity. Having worked at a document management firm where we began developing and hosting SaaS applications starting in the late ‘90s, we were considered cutting edge. We had strong executive vision and leadership, were attracting venture funding, building an impressive client book of top companies in the world, hiring top talent, and building our company for the future. All was right in the world. At that time, we were building out our infrastructure, including our own private cloud, and architecting our data centers for resiliency as we expanded our geographic footprint. It was …

Clearly cybersecurity is on the world’s stage, especially here in America. Made more visible to the general public through the concerns over Russia’s alleged influence over our presidential election, and the proliferation of “tax filing scams” reported in the general news media. Even before our election, the hacking of records maintained by TARGET, BEST BUY and YAHOO with almost 1.5 billion records stolen have created great concerns, interest and hopefully awareness of the American public as individuals go about their business transactions. At the same time, in corporate life, it has been often stated that the greatest point of vulnerability …

It used to be that SaaS providers could deal with security and compliance related items a couple times a year with limited focus and effort while attempting to check the most common customer-facing Information Security check boxes. This learned behavior evolved more out of necessity than anything else. Many SaaS providers can’t afford the cost to hire dedicated security personnel so existing IT staff are expected to take on Information Security responsibilities, in addition to their existing duties, with little to no further training or mentoring. This is “that” topic neither side wants to talk to the other about. Management …

You probably know this even if you have never vocalized it; cyber threats to businesses and individuals will continue to evolve and adapt to whatever defensive measures we employ and therefore there is no achievable end-game approach for your security and compliance program. For large businesses with mature security and IT departments the allocation of funds and time to protect their resources is a given. For small to medium businesses (SMBs) it’s just not as simple. When SMBs try to address their security and compliance needs, they are often diverting much-needed resources from their core business objectives, and that’s a …

Part 2, read Part 1 here In my previous post, I pointed out that because of the evolving nature of security today there is no end-game that a business could prepare for. Businesses must focus on their core objectives and minimize the security and compliance distractions and try to engineer their security and compliance efforts directly into their intellectual property. With all of that in mind a leader must decide what to do. Much of the advertising for security services and products portend an imminent calamity about to befall your business, a la, a crime suspense drama you might see …